Flexera Releases 2020 Insights on Open Source License Compliance
Report shows significant need to better manage license compliance as the use of open source software continues to play a critical role in application development.
Itasca, IL - February 26, 2020 Flexera, a demonstrated leader in open source software scanning, software installation, and software monetization, released its 2020 State of Open Source License Compliance report today.
Flexera’s Software Composition Analysis teams analyzed data from 121 audit projects to evaluate the extent to which companies under-report open source usage—and the resulting license compliance issues and vulnerabilities present in their applications. This global, cross-industry study evaluated more than 2.6 billion lines of code and uncovered 80,157 total issues; compared to the 2019 report, the average number of issues per project jumped over 80 percent, due partially to the number of Node.js packages from NPM, a trend expected to continue in 2020. The report provides valuable insights for security, engineering, and legal teams.
“Open source usage continues to grow while driving increased productivity, faster time to market, and lower cost solutions. Knowing what and how much open source is in use is critically important for any software supplier, as well as their stakeholders, partners—and their customers. The increase in the number of issues uncovered per audit project, as compared to 2019 data, emphasizes the value of having a formal open source management strategy for the entire supply chain,” said Brent Pietrzak, SVP and General Manager of Flexera’s Supplier Division. “While open source isn’t inherently riskier than proprietary code, open source can become a vulnerability when it isn’t managed properly.”
The 2020 report highlights:
- Need for increased awareness. The Flexera audit team found that 45 percent of the scanned codebase files were attributed to open source components. Only 1 percent of the issues that were uncovered during the audit process were disclosed prior to the start of the audit. Automated Software Composition Analysis (SCA) solutions can enable secure risk management through continuous scanning and monitoring to capture information frequently missed through manual or incomplete processes.
- Growth of open source issues. With one issue discovered for every 32,600 lines of scanned code, the 2020 analysis uncovered an average of 662 issues per audit project.
- Severity of license compliance issues. Priority 1 (P1) issues are the most critical and need to be remediated first. This year’s analysis showed that 17 percent of identified issues are P1, meaning they pose a critical threat that demands a culture focused on license compliance, intellectual property (IP) protection, and best-in-class open source software management.
- Fast scans aren’t enough. Fast scans alone don’t reveal all issues; more extensive audits are required to get a full picture of risk. In this research, forensic audits discovered 6 percent more issues per project compared to standard audits and 9 percent more than targeted audits.
- Prevalence of security vulnerabilities. Data from 91 forensic and standard audit services projects identified 45 security vulnerabilities per project. Among those uncovered, 45 percent contained a “high” Common Vulnerability Scoring System (CVSS) risk score.
- Report: The Flexera 2020 State of Open Source License Compliance
- Webinar registration: Review of 2020 State of Open Source License Compliance
- Blog: Open Source License Compliance: Raising the Bar
- Webinar: Create Trust in the Software Supply Chain
- Webinar Series: Software Composition Analysis in the Engineering Process:
Revenera helps product executives build better products, accelerate time to value and monetize what matters. Revenera’s leading solutions help software and technology companies drive top line revenue with modern software monetization, understand usage and compliance with software usage analytics, empower the use of open source with software composition analysis and deliver an excellent user experience—for embedded, on-premises, cloud and SaaS products. To learn more, visit www.revenera.com.